Home » Dell Manuals » Wireless » Dell W-Series 228 » Manual Viewer

Dell W-Series 228 Instant 6.4.3.1-4.2 User Guide - Page 157

X authentication, MAC authentication with 802.1X authentication, Captive Portal Authentication

Add to My Manuals
Save this manual to your list of manuals

Page 157 highlights

802.1X authentication 802.1X is an IEEE standard that provides an authentication framework for WLANs. 802.1X uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication protocols that operate inside the 802.1X framework include EAP-Transport Layer Security (EAP-TLS), Protected EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client while also allowing the client to authenticate the network. For more information on EAP authentication framework supported by the W-IAP, see Supported EAP Authentication Frameworks on page 158. 802.1X authentication method allows a W-IAP to authenticate the identity of a user before providing network access to the user. The Remote Authentication Dial In User Service (RADIUS) protocol provides centralized authentication, authorization, and accounting management. For authentication purpose, the wireless client can associate to a network access server (NAS) or RADIUS client such as a wireless W-IAP. The wireless client can pass data traffic only after successful 802.1X authentication. For more information on configuring a W-IAP to use 802.1X authentication, see Configuring 802.1X Authentication for a Network Profile on page 176. MAC authentication MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication requires that the MAC address of a machine matches a manually defined list of addresses. This authentication method is not recommended for scalable networks and the networks that require stringent security settings. For more information on configuring a W-IAP to use MAC authentication, see Configuring MAC Authentication for a Network Profile on page 177. MAC authentication with 802.1X authentication This authentication method has the following features: l MAC authentication precedes 802.1X authentication - The administrators can enable MAC authentication for 802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role. l MAC authentication only role - Allows you to create a mac-auth-only role to allow role-based access rules when MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients. l L2 authentication fall-through - Allows you to enable the l2-authentication-fallthrough mode. When this option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled, 802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default. For more information on configuring a W-IAP to use MAC + 802.1X Authentication, see FConfiguring MAC Authentication with 802.1X Authentication on page 179. Captive Portal Authentication Captive portal authentication is used for authenticating guest users. For more information on captive portal authentication, see Captive Portal for Guest Access on page 127. 157 | Authentication and User Management Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide

Section	Page
About this Guide	27
Intended Audience	27
Related Documents	27
Conventions	27
Contacting Dell	28
About Instant	29
Instant Overview	29
Supported AP Platforms	29
Instant UI	31
Instant CLI	32
What is New in this Release	32
Support for New W-IAP Devices	34
No Support for W-IAP92/93	35
Setting up a W-IAP	36
Setting up Instant Network	36
Connecting a W-IAP	36
Assigning an IP address to the W-IAP	36
Assigning a Static IP	37
Connecting to a Provisioning Wi-Fi Network	37
W-IAP Cluster	37
Disabling the Provisioning Wi-Fi Network	38
Logging in to the Instant UI	38
Regulatory Domains	39
Specifying Country Code	39
Accessing the Instant CLI	40
Connecting to a CLI Session	40
Applying Configuration Changes	40
Using Sequence Sensitive Commands	41
Automatic Retrieval of Configuration	43
Managed Mode Operations	43
Pre-requisites	43
Configuring Managed Mode Parameters	44
Example	45
Verifying the Configuration	45
Instant User Interface	47
Login Screen	47
Viewing Connectivity Summary	47
Language	47
Logging into the Instant UI	47
Main Window	48
Banner	48
Search	48
Tabs	48
Networks Tab	49
Access Points Tab	49
Clients Tab	50
Links	50
New Version Available	50
System	51
RF	51
Security	51
Maintenance	52
More	52
VPN	53
IDS	53
Wired	54
Services	55
DHCP Server	56
Support	56
Help	57
Logout	57
Monitoring	57
Info	57
RF Dashboard	59
RF Trends	61
Usage Trends	61
Mobility Trail	67
Client Match	67
AppRF	68
Spectrum	68
Alerts	69
IDS	73
AirGroup	74
Configuration	74
W-AirWave Setup	75
Pause/Resume	75
Views	75
Initial Configuration Tasks	77
Basic Configuration Tasks	77
Modifying the W-IAP Name	77
In the Instant UI	78
In the CLI	78
Updating Location Details of a W-IAP	78
In the Instant UI	78
In the CLI	78
Configuring a Preferred Band	78
In the Instant UI	78
In the CLI	78
Configuring Virtual Controller IP Address	78
In the Instant UI	79
In the CLI	79
Configuring a Timezone	79
In the Instant UI	79
In the CLI	79
Configuring an NTP Server	79
In the Instant UI	80
In the CLI	80
Enabling AppRF Visibility	80
Changing Password	80
In the Instant UI	80
In the CLI	80
Additional Configuration Tasks	80
Configuring Virtual Controller Network Settings	81
In the Instant UI	81
In the CLI	82
Configuring Auto Join Mode	82
Enabling or Disabling Auto Join Mode	82
In the Instant UI	82
In the CLI	83
Configuring Terminal Access	83
In the Instant UI	83
In the CLI	83
Configuring Console Access	83
In the Instant UI	83
In the CLI	83
Configuring LED Display	84
In the Instant UI	84
In the CLI	84
Configuring Additional WLAN SSIDs	84
Enabling the Extended SSID	85
In the Instant UI	85
In the CLI	85
Preventing Inter-user Bridging	85
In the Instant UI	85
In the CLI	85
Preventing Local Routing between Clients	86
In the Instant UI	86
In the CLI	86
Enabling Dynamic CPU Management	86
In the Instant UI	86
In the CLI	87
Customizing W-IAP Settings	88
Modifying the W-IAP Hostname	88
In the Instant UI	88
In the CLI	88
Configuring Zone Settings on a W-IAP	88
In the Instant UI	88
In the CLI	89
Specifying a Method for Obtaining IP Address	89
In the Instant UI	89
In the CLI	89
Configuring External Antenna	89
EIRP and Antenna Gain	89
Configuring Antenna Gain	90
In the Instant UI	90
In the CLI	90
Configuring Radio Profiles for a W-IAP	90
Configuring ARM Assigned Radio Profiles for a W-IAP	91
Configuring Radio Profiles Manually for W-IAP	91
In the CLI	92
Configuring Uplink VLAN for a W-IAP	92
In the Instant UI	92
In the CLI	92
Changing USB Port Status	92
In the Instant UI	93
In the CLI	93
Master Election and Virtual Controller	93
Master Election Protocol	93
Preference to a W-IAP with 3G/4G Card	93
Preference to a W-IAP with Non-Default IP	94
Viewing Master Election Details	94
Manual Provisioning of Master W-IAP	94
Provisioning a W-IAP as a Master W-IAP	94
In the Instant UI	94
In the CLI	95
Adding a W-IAP to the Network	95
Removing a W-IAP from the Network	95
VLAN Configuration	96
VLAN Pooling	96
Uplink VLAN Monitoring and Detection on Upstream Devices	96
Wireless Network Profiles	97
Configuring Wireless Network Profiles	97
Network Types	97
Configuring WLAN Settings for an SSID Profile	98
In the Instant UI	98
In the CLI	101
Configuring VLAN Settings for a WLAN SSID Profile	102
In the Instant UI	102
In the CLI	103
Configuring Security Settings for a WLAN SSID Profile	104
Configuring Security Settings for an Employee or Voice Network	104
In the Instant UI	104
In the CLI	110
Configuring Access Rules for a WLAN SSID Profile	111
In the Instant UI	112
In the CLI	112
Configuring Fast Roaming for Wireless Clients	113
Opportunistic Key Caching	113
Configuring a W-IAP for OKC Roaming	113
In the Instant UI	114
In the CLI	114
Fast BSS Transition (802.11r Roaming)	114
Configuring a W-IAP for 802.11r support	115
In the Instant UI	115
In the CLI	115
Example	115
Radio Resource Management (802.11k)	115
Beacon Report Requests and Probe Responses	116
Configuring a WLAN SSID for 802.11k Support	116
In the Instant UI	116
In the CLI	116
Example	116
BSS Transition Management (802.11v)	116
Configuring a WLAN SSID for 802.11v Support	116
In the Instant UI	117
In the CLI	117
Example	117
Editing Status of a WLAN SSID Profile	117
In the Instant UI	117
In the CLI	117
Editing a WLAN SSID Profile	117
Deleting a WLAN SSID Profile	118
Wired Profiles	119
Configuring a Wired Profile	119
Configuring Wired Settings	119
In the Instant UI	119
In the CLI	120
Configuring VLAN for a Wired Profile	120
In the Instant UI	120
In the CLI	121
Configuring Security Settings for a Wired Profile	121
Configuring Security Settings for a Wired Employee Network	121
In the Instant UI	121
In the CLI	122
Configuring Access Rules for a Wired Profile	122
In the Instant UI	122
In the CLI	123
Assigning a Profile to Ethernet Ports	124
In the Instant UI	124
In the CLI	124
Editing a Wired Profile	124
Deleting a Wired Profile	124
Link Aggregation Control Protocol	125
Understanding Hierarchical Deployment	126
Captive Portal for Guest Access	127
Understanding Captive Portal	127
Types of Captive Portal	127
Walled Garden	128
Configuring a WLAN SSID for Guest Access	128
In the Instant UI	128
In the CLI	132
Configuring Wired Profile for Guest Access	133
In the Instant UI	133
In the CLI	134
Configuring Internal Captive Portal for Guest Network	135
In the Instant UI	135
In the CLI	137
wConfiguring External Captive Portal for a Guest Network	138
External Captive Portal Profiles	138
Creating a Captive Portal Profile	138
In the Instant UI	138
In the CLI	139
Configuring an SSID or Wired Profile to Use External Captive Portal Authentic...	140
In the Instant UI	140
In the CLI	141
External Captive Portal Redirect Parameters	142
Configuring External Captive Portal Authentication Using ClearPass Guest	142
Creating a Web Login page in ClearPass Guest	143
Configuring RADIUS Server in Instant UI	143
Configuring Facebook Login	143
Setting up a Facebook Page	144
Configuring an SSID	144
In the Instant UI	144
In the CLI	144
Example	144
Configuring the Facebook Portal Page	144
Accessing the Portal Page	145
Configuring Guest Logon Role and Access Rules for Guest Users	145
In the Instant UI	145
In the CLI	146
Example	146
Configuring Captive Portal Roles for an SSID	147
In the Instant UI	147
In the CLI	149
Configuring Walled Garden Access	150
In the Instant UI	150
In the CLI	150
Disabling Captive Portal Authentication	150
Authentication and User Management	152
Managing W-IAP Users	152
Configuring W-IAP Users	153
In the Instant UI	153
In the CLI	154
Configuring Authentication Parameters for Management Users	154
In the Instant UI	154
In the CLI	155
Adding Guest Users through the Guest Management Interface	156
Supported Authentication Methods	156
802.1X authentication	157
MAC authentication	157
MAC authentication with 802.1X authentication	157
Captive Portal Authentication	157
MAC authentication with Captive Portal authentication	158
802.1X authentication with Captive Portal Role	158
WISPr authentication	158
Supported EAP Authentication Frameworks	158
Authentication Termination on W-IAP	159
Configuring Authentication Servers	159
Supported Authentication Servers	159
Internal RADIUS Server	159
External RADIUS Server	160
RADIUS Server Authentication with VSA	160
TACACS Servers	164
Dynamic Load Balancing between Two Authentication Servers	164
Configuring an External Server for Authentication	164
In the Instant UI	164
In the CLI	168
Enabling RADIUS Communication over TLS	169
Configuring RadSec Protocol	169
In the UI	169
In the CLI	170
Associate the Server Profile with a Network Profile	170
In the CLI	170
Configuring Dynamic RADIUS Proxy Parameters	171
Enabling Dynamic RADIUS Proxy	171
In the Instant UI	171
In the CLI	171
Configuring Dynamic RADIUS Proxy Parameters	171
In the Instant UI	171
In the CLI	172
Associate Server Profiles to a Network Profile	172
In the CLI	172
Understanding Encryption Types	173
WPA and WPA2	173
Recommended Authentication and Encryption Combinations	174
Configuring Authentication Survivability	174
Enabling Authentication Survivability	175
In the Instant UI	175
Important Points to Remember	175
In the CLI	175
Configuring 802.1X Authentication for a Network Profile	176
Configuring 802.1X Authentication for a Wireless Network Profile	176
In the Instant UI	176
In the CLI	177
Configuring 802.1X Authentication for Wired Profiles	177
In the Instant UI	177
In the CLI	177
Configuring MAC Authentication for a Network Profile	177
Configuring MAC Authentication for Wireless Network Profiles	178
In the Instant UI	178
In the CLI	178
Configuring MAC Authentication for Wired Profiles	179
In the Instant UI	179
In the CLI	179
FConfiguring MAC Authentication with 802.1X Authentication	179
Configuring MAC and 802.1X Authentication for a Wireless Network Profile	180
In the Instant UI	180
In the CLI	180
Configuring MAC and 802.1X Authentication for Wired Profiles	180
In the Instant UI	180
In the CLI	181
hConfiguring MAC Authentication with Captive Portal Authentication	181
In the Instant UI	181
In the CLI	181
Configuring WISPr Authentication	182
In the Instant UI	182
In the CLI	183
Blacklisting Clients	183
Blacklisting Clients Manually	183
Adding a Client to the Blacklist	183
In the Instant UI	183
In the CLI	183
Blacklisting Users Dynamically	184
Authentication Failure Blacklisting	184
Session Firewall Based Blacklisting	184
Configuring Blacklist Duration	184
In the Instant UI	184
In the CLI	184
Uploading Certificates	186
Loading Certificates through Instant UI	186
Loading Certificates through Instant CLI	186
Removing Certificates	187
Loading Certificates through W-AirWave	187
Roles and Policies	189
Firewall Policies	189
Access Control List Rules	189
Configuring ACL Rules for Network Services	189
In the Instant UI	190
In the CLI	191
Example	191
Configuring Network Address Translation Rules	192
Configuring a Source NAT Access Rule	192
In the Instant UI	192
In the CLI	193
Configuring Source-Based Routing	193
Configuring a Destination NAT Access Rule	193
In the Instant UI	193
In the CLI	194
Configuring ALG Protocols	194
In the Instant UI	194
In the CLI	194
Configuring Firewall Settings for Protection from ARP Attacks	195
In the Instant UI	195
In the CLI	195
Managing Inbound Traffic	196
Configuring Inbound Firewall Rules	196
In the Instant UI	196
In the CLI	198
Example	198
Configuring Management Subnets	199
In the Instant UI	199
In the CLI	199
Configuring Restricted Access to Corporate Network	199
In the Instant UI	199
In the CLI	200
Content Filtering	200
Enabling Content Filtering	200
Enabling Content Filtering for a Wireless Profile	200
In the Instant UI	200
In the CLI	201
Enabling Content Filtering for a Wired Profile	201
In the Instant UI	201
In the CLI	201
Configuring Enterprise Domains	201
In the Instant UI	201
In the CLI	201
Configuring URL Filtering Policies	202
In the Instant UI	202
In the CLI	202
Example	203
Creating Custom Error Page for Web Access Blocked by AppRF Policies	203
Creating a List of Error Page URLs	203
In the Instant UI	203
In the CLI	203
Configuring ACL Rules to Redirect Users to a Specific URL	203
In the UI	203
In the CLI	203
Configuring User Roles	204
Creating a User Role	204
In the Instant UI	204
In the CLI	204
Assigning Bandwidth Contracts to User Roles	204
In the Instant UI	205
In the CLI:	205
Configuring Machine and User Authentication Roles	205
In the Instant UI	206
In the CLI	206
Configuring Derivation Rules	206
Understanding Role Assignment Rule	206
RADIUS VSA Attributes	206
MAC-Address Attribute	206
Roles Based on Client Authentication	207
DHCP Option and DHCP Fingerprinting	207
Creating a Role Derivation Rule	207
In the Instant UI	207
In the CLI	208
Example	208
Understanding VLAN Assignment	208
Vendor Specific Attributes	209
VLAN Assignment Based on Derivation Rules	210
User Role	211
VLANs Created for an SSID	211
Configuring VLAN Derivation Rules	211
In the Instant UI	211
In the CLI	212
Example	212
Using Advanced Expressions in Role and VLAN Derivation Rules	212
Configuring a User Role for VLAN Derivation	213
Creating a User VLAN Role	214
In the Instant UI	214
In the CLI	214
Assigning User VLAN Roles to a Network Profile	214
In the Instant UI	214
In the CLI	214
DHCP Configuration	215
Configuring DHCP Scopes	215
Configuring Local DHCP Scopes	215
In the Instant UI	215
In the CLI	216
Configuring Distributed DHCP Scopes	217
In the Instant UI	218
In the CLI	219
Configuring Centralized DHCP Scopes	220
In the Instant UI	220
In the CLI	222
Configuring the Default DHCP Scope for Client IP Assignment	222
In the Instant UI	223
In the CLI	223
VPN Configuration	225
Understanding VPN Features	225
Supported VPN Protocols	226
Configuring a Tunnel from a W-IAP to Dell Networking W-Series Mobility Contro...	226
Configuring an IPSec Tunnel	227
In the Instant UI	227
In the CLI	228
Example	228
Configuring an L2-GRE Tunnel	228
Configuring Manual GRE Parameters	228
In the Instant UI	229
In the CLI	229
Configuring Dell GRE Parameters	230
In the Instant UI	230
In the CLI	231
Configuring an L2TPv3 Tunnel	231
In the Instant UI	232
In the CLI	234
Example	234
Configuring Routing Profiles	237
In the Instant UI	237
In the CLI	238

Match case Limit results 1 per page

157

| Authentication and User Management

Dell Networking W-Series Instant 6.4.3.1-4.2.0.0 | User Guide

802.1X authentication

802.1X is an IEEE standard that provides an authentication framework for WLANs. 802.1X uses the Extensible

Authentication Protocol (EAP) to exchange messages during the authentication process. The authentication

protocols that operate inside the 802.1X framework include EAP-Transport Layer Security (EAP-TLS), Protected

EAP (PEAP), and EAP-Tunneled TLS (EAP-TTLS). These protocols allow the network to authenticate the client

while also allowing the client to authenticate the network. For more information on EAP authentication

framework supported by the W-IAP, see

Supported EAP Authentication Frameworks on page 158

802.1X authentication method allows a W-IAP to authenticate the identity of a user before providing network

access to the user. The Remote Authentication Dial In User Service (RADIUS) protocol provides centralized

authentication, authorization, and accounting management. For authentication purpose, the wireless client can

associate to a network access server (NAS) or RADIUS client such as a wireless W-IAP. The wireless client can

pass data traffic only after successful 802.1X authentication.

For more information on configuring a W-IAP to use 802.1X authentication, see

Configuring 802.1X

Authentication for a Network Profile on page 176

MAC authentication

MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC

authentication requires that the MAC address of a machine matches a manually defined list of addresses. This

authentication method is not recommended for scalable networks and the networks that require stringent

security settings. For more information on configuring a W-IAP to use MAC authentication, see

Configuring

MAC Authentication for a Network Profile on page 177

MAC authentication with 802.1X authentication

This authentication method has the following features:

MAC authentication precedes 802.1X authentication - The administrators can enable MAC authentication

for 802.1X authentication. MAC authentication shares all the authentication server configurations with

802.1X authentication. If a wireless or wired client connects to the network, MAC authentication is

performed first. If MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication

is successful, 802.1X authentication is attempted. If 802.1X authentication is successful, the client is

assigned an 802.1X authentication role. If 802.1X authentication fails, the client is assigned a

deny-all

role

mac-auth-only

role.

MAC authentication only role - Allows you to create a

mac-auth-only

role to allow role-based access rules

when MAC authentication is enabled for 802.1X authentication. The

mac-auth-only

role is assigned to a

client when the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication

is successful, the

mac-auth-only

role is overwritten by the final role. The

mac-auth-only

role is primarily

used for wired clients.

L2 authentication fall-through - Allows you to enable the

l2-authentication-fallthrough

mode. When this

option is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is

disabled, 802.1X authentication is not allowed. The

l2-authentication-fallthrough

mode is disabled by

default.

For more information on configuring a W-IAP to use MAC + 802.1X Authentication, see

FConfiguring MAC

Authentication with 802.1X Authentication on page 179

Captive Portal Authentication

Captive portal authentication is used for authenticating guest users. For more information on captive portal

authentication, see

Captive Portal for Guest Access on page 127